\section{Approach Overview}

\ourtool takes a privacy policy and a potentially unsafe app as input and generates a safe version of the app in which the privacy policy would be guaranteed to hold during runtime. 

\begin{figure*}
    \centering
    \includegraphics[width=0.8\textwidth]{drawings/arch-crop.pdf}
    \caption{\ourtool 's workflow as it is trying to enforce a privacy policy with a control flow property and 3 information flow properties.}
    \label{fig:arch}
\end{figure*}

Figure~\ref{fig:arch} shows \ourtool 's workflow as it is trying to enforce a privacy policy with a control flow property and 3 information flow properties. \ourtool first separates the input privacy policy into a control flow property (state transitions in the FSM) and a list of information flow property (the list of allowed or disallowed information flows). It then generates enforcement code for these properties separately.

{\bf Control flow enforcement generation} transforms a control flow property, defined as a finite state machine, into a set of additional enforcement instructions and variables. More specifically, it adds a global variable to keep track of the current state, and generate a enforcement instruction for each of the state transition instructions (edges in the FSM). 

{\bf Information flow enforcement generation} takes a single information flow property, defined as a source and sink pair (such as {\em Filesystem to Internet} is not allowed), and generates taint propagation code that would track data from the sensitive sink during runtime. When the sink instruction (such as invoking uploadToInternet API) is about to be executed, the enforcement code will inspect its parameters and determine if the app is trying to exfiltrate sensitive data. When the app is trying to exfiltrate non-sensitive data, the execution will be allowed to continue. However, when the app is trying to exfiltrate sensitive data and the specific information flow is not allowed in the current control flow state according to the privacy policy, the enforcement code will intercept the program execution because a violation to the privacy policy has been detected. After that, the enforcement code can either skip the exfiltration instruction and warn the user or terminate the app and send a warning to the system administrator. We will discuss more about the information flow enforcement generation engine in the next section.









